iOS error cloning https repositories: The SSL certificate is invalid

[isaac]

Code to reproduce error:

    NSURL *url = [NSURL URLWithString:@"https://github.com/isaac/test.git"];
    NSURL *dir = [NSURL fileURLWithPath:@"/Users/Isaac/Downloads/test"];
    NSError *error = nil;
    [GTRepository cloneFromURL:url toWorkingDirectory:dir barely:YES withCheckout:NO error:&error transferProgressBlock:NULL checkoutProgressBlock:NULL];
    NSLog(@"%@", error);

Full error:

2013-08-30 10:27:27.179 CloneiOS[69861:a0b] Error Domain=GTGitErrorDomain Code=-1 "Failed to clone repository from https://github.com/isaac/test.git to file:///Users/Isaac/Downloads/test" UserInfo=0x98c2f00 {NSUnderlyingError=0x98c2c20 "The SSL certificate is invalid", NSLocalizedDescription=Failed to clone repository from https://github.com/isaac/test.git to file:///Users/Isaac/Downloads/test}

The code above clones the repository successfully on Mac OS X with no errors.

This pull request suppresses the error on iOS, but I'm not sure if this is the right way to go.

Thoughts?

[jspahrsummers]

I've heard of certificate errors with https://github.com that people have had in Xcode too. I'm really not sure what the root cause is.

@shawndavenport @sroberts @mastahyeti @arrbee Do you guys have any thoughts on what's going on here?

[shawndavenport]

Hey @isaac, this sounds similar to something I've encountered in the past. Any chance you can check Keychain Access and search for "DigiCert" and let me know if you find any CA certs outside of System Roots?

You should only find the following:

The DigiCert High Assurance EV Root CA cert with s/n 02 AC 5C 26 6A 0B 40 9B 8F 0B 79 F2 AE 46 25 77 is our root, but I've seen systems were there was a duplicate of this cert in the login keychain marked untrusted causing the mac signing tool to fail. Removing that duplicate, or manually marking it trusted, has resolved the problem in the past.

[jspahrsummers]

@shawndavenport The weird part about it is that it sounds like it's happening only on iOS, not OS X. I don't know if it's even possible to see the system certificates on iOS.

[isaac]

@shawndavenport - looks like I have the same Digicert certificates as you (serial number matches also):

[shawndavenport]

@jspahrsummers: well damn look at that, iOS right there in the subject. Sorry I missed that. So, you can view certs that have been installed in a Profile under Settings > General > Profiles.

@isaac, it seems very unlikely this is the problem, but you might want to look and see if there are any DigiCert CA certs installed under any user profiles and marked untrusted.

I wish that error was a bit more helpful.

[isaac]

@shawndavenport - nope those appear to be the only DigiCert CA certs that are installed.

I get the same error when running this code on my iPad and in the iOS simulator. There are no certificates listed under Settings > General > Profiles in the simulator. On my iPad the only certificate listed is my iOS Team Provisioning Profile downloaded from the iOS Dev Center.

[isaac]

@jspahrsummers - how would you like to proceed with this?

I was thinking it might be a good idea to introduce an options argument toGTRepository.cloneFromURL... - these options could also incorporate the existing barely argument and potentially the transferProgressBlock argument - what do you think?

[jspahrsummers]

I'm not confident in this fix as-is because it opens a huge security hole. However, adding an options parameter that you can control from the client application seems reasonable. 👍

[isaac]

@jspahrsummers - pull request here: #252

[jspahrsummers]

In the future, can you open separate pull requests, instead of converting issues to PRs? A pull request is just one proposed solution for an issue, so it doesn't always make sense to reuse the issue for it. This case is great example — the real solution will be coming in #252.